Data Security: Heartland Payment Breach Reveals Some Concrete Numbers

I've found via databreaches.net that bankinfosecurity.org has a list of banks impacted by the Heartland Payment Systems breach. The CEO of Heartland called for the use of end-to-end data encryption, as I've already relayed last week. In a follow up post, I've noted that I still don't believe that up to 100 million accounts could be affected.

Compiling Numbers - A Little Premature?

I took the bankinfosecurity.org data as of 9 PM EST, February 9, 2009. The informal survey by bankinforsecurity.org shows that, of 512 responding banks, 83% said they were affected and 13% said they didn't know if they were affected. I take it that means that at least 4% know they were not affected by the breach. There were approximately 7,500 banks in the U.S. as of 2005, although I'd say it's a far stretch to think Heartland did business with all of them.

This may be a premature exercise, since out of that 83%, only 124 companies are listed as having been impacted by the breach, and of those only 46 are reporting the total number of credit cards compromised.

On the other hand, I'm reminded vaguely of my statistics professor's words, that if a random sample has been collected, 40 samples should be good enough...in most situations. (I've probably taken it out of context...)

The Numbers

Of 124 companies on the list, 46 have reported how many cards were affected.

299,131 - Total cards/accounts affected

6,503 - Average accounts affected per company that's reporting figures

75,000 - Maximum accounts affected for one company

15 - Minimum affected for one company

Also, a breakdown of the frequencies:

# of accounts affected

# of banks affected

% of total

cumulative %

100 or less

4

8.7%

200 or less, greater than 100

6

13.0%

21.7%

300 or less, greater than 200

3

6.5%

28.3%

400 or less, (there's a pattern here…)

3

6.5%

34.8%

500 or less

2

4.3%

39.1%

1000 or less

3

6.5%

45.7%

2000 or less

6

13.0%

58.7%

5000 or less

7

15.2%

73.9%

10000 or less

5

10.9%

84.8%

20000 or less

4

8.7%

93.5%

30000 or less

1

2.2%

95.7%

40000 or less

0

0.0%

95.7%

50000 or less

0

0.0%

95.7%

60000 or less

1

2.2%

97.8%

70000 or less

0

0.0%

97.8%

80000 or less

1

2.2%

100.0%

Total

46

100.00%

Preliminary Conclusions

Don’t read too much into the above; chances are we're in need of more data. That's the first and foremost conclusion.

Canceling and reissuing cards cost about $10 per card, last time I checked. Obviously, there aren't any savings in volume....With almost 300,000 accounts affected to date, Heartland, who's admitting to the breach, will probably have to come up with at least $3 million to cover the costs of issuing new cards.

But wait, the survey had 512 participants.

With 46 banks accounted for, it leaves out 466 banks. We've only covered 10% of banks, essentially. Assuming the above patterns are true for the remaining banks, you can expect the final figures to reach 3.3 million accounts. Heartland may have to come up with at least $33 million for replacing cards alone.

On the other hand, they were PCI-compliant at the time of the breach, so perhaps not?

It looks like most banks affected will have 2,000 or less accounts compromised.

I still stand by my predictions that this Heartland breach will not sail past the TJX figures. With 7,500 banks in the US, and with 96% of banks affected in the sample, that means 7,200 banks would be affected by the Heartland breach--a conservatively high figure.

With the average bank having 6,500 accounts affected, it resolves into 46.8 million accounts, a far cry from the 100 million accounts bandied about. In fact, to reach that 100 million mark, the average account breached per bank would have to reach 14,000 accounts.

Yes; #4 is in direct conflict with #1. What can I say? Sometimes you just have to go with your gut feeling.

Comments

About a week-and-a-half ago, in a detraction from covering stories where AlertBoot hard drive encryption

February 24, 2009 4:15 AM

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.